set_outliers_detection_parameter

Use this command to modify one or more parameters of the outliers detection configuration.

Important: Do not modify the defaults unless you are working with someone knowledgeable in outlier mining.

This API is available in Guardium V9.5 and later.

GuardAPI syntax

set_outliers_detection_parameter parameter_name=name parameter_value=value

Parameters

Parameter Value type Description
cleanupKeepDays String The number of days to retain model data on the collector. Default = 90
sensitiveObjectGroup Comma separated list of strings Adds additional object groups (tables, views, and more) to the outliers detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=<group name>. Factory setting: privUsersGroup=Sensitive Objects
sensitiveFileGroup Comma separated list of strings Adds additional groups to the outlier detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=[group name]Factory setting: privUsersGroup=Sensitive Files
privUsersGroup Comma separated list of strings Adds additional user groups to the outlier detection algorithm. Use this command to find a group name: grdapi list_group_by_desc desc=[group name]Factory setting: privUsersGroup=Admin Users
minDaysForAlerts   The number of days of activity required before outlier alerts are produced. The value for this parameter cannot exceed the value of the parameter budgetTrainingDays.

Default = 7

intervalAlertsThreshold numeric The score at which an anomaly becomes an outlier. If lowered, the system is more sensitive to anomalies: anomalies with a lower score are issued as outliers and there can be false positives. If raised, then the system is less sensitive to anomalies.

Default = 0.99

maxMessageAlertsTopScores integer High volume outliers only. The number of rows in the Details tab of a high volume outlier. The rows present details of the highest scoring anomalies that occurred during the hour.

Default = 500

maxMessageAlertsSampleSizePerAlertType integer Non-high-volume outliers only. This is the number of sample anomalies for a summary alert. Non-high-volume outliers have maxMessageAlertsSampleSizePerAlertType sample rows in no specific order since: the score is not relevant for these outliers; no object is newer than another. Default = 500
messageAlertsThreshold   Internal use only. Do not modify.
minNumIntervalsForFirstClustering integer The time period, in hours, until users are initially assigned to clusters. Valid values:
  • 0: disable clustering, together with clusteringScheduleIntervals=0
  • 1 and higher: the number of hours until users are clustered
Default = 168
minNumIntervalsForMessageScorers   Internal use only. Do not modify.
minNumIntervalsForIntervalScorers   Internal use only. Do not modify.
numOfAnalyzeThreads   Internal use only. Do not modify.
alertsPerDay integer The target number of outliers you want to receive per day. The threshold of the alert score is based on statistics for the last budgetTrainingDays parameter. The system sends the outliers with the highest score per hour.
There may be fewer outliers than the value of alertsPerDay in a day simply because there weren’t a lot of outliers that day. If there are suddenly many outliers with a score above the threshold, they are reported (and not limited by this parameter). This prevents suppression of an acute situation.
budgetTrainingDays integer The number of days the system looks back for learning. The value for this parameter cannot be less than the value of the parameter minDaysForAlerts. Default = 14.
demoMode boolean Used for demo only. Valid values:
  • 0: not in demo mode
  • 1: periods where there’s no activity at all are ignored, and do not affect the statistics.
Default = 0
nanny.duration.analysis   Internal use only. Do not modify.
nanny.duration.clean   Internal use only. Do not modify.
nanny.duration.reconfig   Internal use only. Do not modify.
nanny.duration.maintenance   Internal use only. Do not modify.
runCaseAnalysis boolean Used for Advanced threat analytics. Valid values:
  • false: the case analysis process does not run.
  • true: the case analysis process runs right after the outlier mining process.
debugMode boolean Controls writing debig details into the debug log. Valid values:
  • false: debug data is not written into debug tables.
  • true: debug data is written into debug tables. Use this when there is a problem and you want to send “must gather” to Guardium Support. This parameter automatically reverts back to False after 3 days.
    1. Set the parameter to true.
    2. Wait for 3-4 hours.
    3. Run ‘data mining’ must gather.
    4. Set the parameter back to false.
  • Default = false
clusteringScheduleIntervals integer The frequency at which the clustering algorithm runs. To disable clustering, set both this parameter and minNumIntervalsForFirstClustering = 0
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

Examples

Add the sensitive object groups 5, 333, and 156 to the outliers detection algorithm:

grdapi set_outliers_detection_parameter parameter_name=sensitiveObjectGroupIds parameter_value=5,333,156